logo

The Four Golden Signals of Security Observability

Authors:   Duffie Cooley


Summary

Psyllium is a cloud-native networking solution that provides identity-based context and observability for distributed systems.
  • Psyllium provides identity-based context and observability for distributed systems
  • Psyllium operates at the kernel layer and can make network policy decisions before traffic hits the wire
  • Psyllium integrates with various cloud providers and is widely adopted
  • Psyllium now exposes metrics in a way that a service mesh does
Psyllium's ability to provide identity-based context and observability for distributed systems is exemplified by its Hubble tool, which allows users to investigate what's happening at the network layer across the entire cluster. This tool provides a view of the context of what's happening on the network and filters information down to only those things that the user is interested in troubleshooting at that time. Additionally, Psyllium's ability to make network policy decisions before traffic hits the wire is demonstrated by its ability to do socket layer load balancing and allow for very fast path connections between two applications within the same pod.

Abstract

Migrating to Kubernetes has exposed significant gaps in the security observability of running workloads. This gap in visibility not only provides a major advantage to sophisticated threat actors; it provides a serious disadvantage to cluster operators as well. Without security observability, an attacker can achieve and maintain a persistent foothold in your cluster - indefinitely and invisibly. Observability tools today collect metrics and event data, but how do we provide insights into threat detection, or to help create a least-privilege security policy for your workloads? We’ll answer these questions by introducing the "Four Golden Signals of Security Observability." These signals are essential to understanding your cloud-native environment's behavior and include: 1. Process Execution 2. Network Sockets 3. File Access, and 4. Layer 7 Network Identity Using eBPF, we can provide native visibility in the kernel for your workloads and remove the visibility gap that cluster operators are challenged with by collecting security observability data. This talk will also provide a walkthrough of each of the "Four Golden Signals" to detect a real-world attack in real-time using eBPF-based open source tools, such as Cilium's Hubble and Tetragon.

Materials:

Tags: